Free Tools

Security tools that never leave your tab.

Eight client-side utilities for everyday security work. No accounts, no analytics on inputs, no server round-trips. Hashing uses the Web Crypto API; calculators are pure math; lookups go straight from your browser to public resolvers.

8
Tools
0
Inputs logged
100%
Client-side

8 tools shown

ENTROPY

Password Strength Checker

Entropy bits, charset analysis and offline crack-time estimates.

Shannon entropy + character-class scoring + GPU/online attack models — all in your tab.

CryptoOpen
CRYPTO

Hash Generator

MD5, SHA-1, SHA-256, SHA-384 and SHA-512 of any string. Hex output.

Web Crypto API for SHA, hand-rolled RFC 1321 MD5 for legacy compatibility.

CryptoOpen
TOKEN

JWT Decoder

Inspect header, payload, claims and exp. Signature shown, not validated.

Base64url-decode the three segments. Verifying signatures requires the issuer's key.

CryptoOpen
EMAIL

Email Auth Checker

Resolve and grade SPF, DKIM and DMARC for any domain.

Cloudflare DNS-over-HTTPS from your browser; parses + scores every record with cited reasons.

EmailOpen
NETWORK

Subnet Calculator

IPv4 + IPv6 CIDR math, subnet splitting and supernet roll-up.

BigInt 32/128-bit math — network, broadcast, usable hosts, binary, /31 + /32 edge cases.

NetworkOpen
SCORING

CVSS v3.1 Calculator

Compute base score from the eight base metrics. Vector string included.

FIRST.org spec, implemented from the published equations. No external lookups.

ScoringOpen
PRICING

Pentest Cost Estimator

Indicative range from scope: apps, APIs, infra, days.

Based on AxVeil delivery rates plus typical industry day rates for senior operators.

AdvisoryOpen
ROI

Pentest ROI Calculator

Compare expected breach cost vs annual pentest spend.

Uses IBM Cost of a Breach 2024 averages, your records-at-risk and your control maturity.

AdvisoryOpen
FAQ

About these tools

Do these tools send my data anywhere?

Almost none do. Password strength, hash generator, JWT decoder, CVSS, subnet, pentest cost and ROI run entirely in your browser tab — no fetch() calls, no analytics on inputs, no third-party scripts touch the text or password you paste. Hashing uses the W3C Web Cryptography API (SHA family) or, for MD5, a hand-rolled RFC 1321 implementation that ships with the page. The one exception is the Email Auth Checker: validating SPF/DKIM/DMARC requires a real DNS query, so it sends the domain name (never any secret) directly from your browser to Cloudflare's public DNS-over-HTTPS resolver. You can verify all of this by opening DevTools Network and watching which requests fire while you compute.

Why is the JWT signature shown but not validated?

Validating a JWT signature requires the issuer's secret (HS256) or public key (RS256, ES256). Both live on the server, not in the user's browser, and asking a random visitor to paste a production signing key into a public web page would be a security anti-pattern. The decoder shows you the algorithm, the raw signature bytes and the canonical signing input so you can verify out-of-band with your own tooling.

How accurate is the pentest cost estimator?

It returns an indicative range, not a quote. Inputs are mapped to typical operator-days based on AxVeil's delivery experience and published industry rates for senior pentesters (CREST, OSCP, OSWE). Real quotes depend on technology stack, authentication complexity, code access, retest scope and reporting standard (ASVS L2 vs PCI DSS vs SOC 2). For a written scope, the form on the contact page goes to the operator queue.

Why use a CVSS calculator when the FIRST.org one already exists?

Two reasons: speed and copy-paste. The FIRST.org calculator is great but lives on a separate origin, ships heavier dependencies and changes URL fragment format. This one renders instantly, fits the dark theme, and emits a clean vector string ready to paste into a CWE entry, a Jira ticket or a finding template — same equations, simpler surface.

Are these tools open source?

The source ships unminified in the page bundle, which means anyone with DevTools can read the implementation. We may publish a permissively licensed standalone repo later. For now, treat them as reference implementations of well-documented standards (RFC 1321 for MD5, the FIRST CVSS v3.1 specification, the Shannon entropy definition from A Mathematical Theory of Communication).

← Back to home